Ir al contenido principal

Ralsina.Me — El sitio web de Roberto Alsina

Why isn't this in the kernel?

The nth mod­ule for ipt­a­bles.

This nifty gad­get lets you match the nth pack­et to a rule.

What for? Well, sup­pose you have two links, and have im­ple­ment­ed split ac­cess as per the LARTC

Ac­cord­ing to the same LARTC, you can im­ple­ment per-route load bal­anc­ing by cre­at­ing a mul­ti­path route.

That works well... as long as the traf­fic orig­i­nates on the fire­wall it­self (say, us­ing a Squid).

If the traf­fic comes from a SNATd sub­net, it break­s, be­cause you SNAT (or MASQ) it to one of your ex­ter­nal IP­s, and then it's rout­ed on­ly through that link, for ob­vi­ous rea­sons 1

You can route based on orig­i­nal source IP, so you can tell half the box­es to go left, and the oth­er half to go right.

And then if the client box­es are used un­even­ly, your bal­anc­ing suck­s.

So, what's the so­lu­tion? Match ev­ery sec­ond state NEW pack­et over each link.

Since ipt­a­bles's MASQ or SNAT will make the state ES­TAB­LISHED,RE­LAT­ED pack­ets fol­low the lead­er, each con­nec­tion al­ter­na­tive­ly routes left or right.

While not 100% right (y­ou can be un­lucky and re­di­rect all long con­nec­tions on the same link), it is much bet­ter than the sim­ple al­ter­na­tives, and much sim­pler than the bet­ter al­ter­na­tives.

But hey, nth is on­ly on patchomat­ic. And Red Hat's (Fe­do­ra's) ker­nel makes patchomat­ic go nut­s.

So it's cus­tom-k­er­nel-­com­pil­ing time, and I hate do­ing that. Re­al­ly, this patch seems sim­ple. Why is it not in?


If you rout­ed it through the oth­er, your ISP would re­ject the pack­et­s, be­cause the ori­gin IP is for­eign to him.

Contents © 2000-2020 Roberto Alsina